ICO hand brake turn on “implied consent” for cookies

Just 24 hours before it was due to enforce fully new laws requiring consent to be obtained for the use of “cookies” and similar tracking technology by websites, apps and emails, the UK data watchdog published revised guidance. The “only” change related to so-called “implied consent”. Stephen Groom reports.

Topic: Online advertising

Who: Information Commissioner's Office

When: May 2012

Where: Wilmslow, Cheshire

Law stated as at: 11 June 2012

What happened:

Literally on the eve of full enforcement of laws requiring consent for the use of so-called "cookies" by websites and emails, the UK's data protection regulator, the Information Commissioner's Office ("ICO") published revised guidance which performed something of a hand-brake turn on a key issue for all those using cookies and similar technology.

The issue was that of "implied consent".

To recap briefly, with effect from 26 May 2011, the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PCRs") were amended by EU Directive 2009/136/EC.

A key change was made to the "Confidentiality of communications" regulation #6. The combined effect of paragraphs 6.(1) and 6 (2) of the PCRs is now that

"a person shall not store or gain access to information stored in the terminal equipment of a subscriber or user unless the subscriber or user of that terminal equipment:

(a) is provided with clear and comprehensive information about the purposes of the storage of or access to, that information; and

(b) has given his or her consent."

The only exceptions to the above were where the technical storage of, or access to, the terminal was:

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage of or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

The wording added to the 2003 measure by the 2009 Directive is underlined.

When the new Regulations came into force, ICO announced that to give the industry time to assimilate the new rules and make suitable adjustments, there would be a one year period of grace. Then full enforcement would start with effect from Saturday 26 March 2012.

Concerns over timing of consent and "implied consent

Two key concerns for cookie users as they took steps towards compliance were firstly whether the required consent had to be obtained before the cookie was dropped on the user or subscriber's terminal.

Secondly would "implied consent," where for instance a box had not actually been ticked to signify consent, deliver the level of consent needed?

Guidance on the new rules published by ICO in December 2011 clarified the position on the "prior consent" issue.ICO said:

"Wherever possible, the setting of cookies should be delayed until users have had the opportunity to understand what cookies are being used and make their choice.

Where this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options."

So consent after the event was OK provided it could be shown that it was simply not possible to delay the setting of the cookie until a short time after the user's arrival at the site. The mechanism for consent also had to go into action quickly after arrival on the site.

Implied consent unlikely to be viable for years-ICO in December 2011

On the second, knotty question of "implied consent", ICO was not so encouraging:

It said:

"A reliance on implied consent in any context must be based on a definite shared understanding of what is going to happen -in this situation a user has a full understanding of the fact that cookies will be set, is clear what cookies do and signifies their agreement.

At present evidence demonstrates that general awareness of the functions and uses of cookies simply not high enough for websites to look entirely in the first instance on implied consent. As consumer awareness increases over the next few years if may well be easier for organisations to rely on that shared understanding to a greater degree."

Hardly encouraging for those looking to implied consent for instant relief from the rigours of opt-in.

Implied consent has always been a valid way of obtaining consent-ICO May 2012

Then on 25 May 2012, ICO published revised guidance. Comparison with the previous version quickly revealed that the only substantive change was to the "implied consent" section. From a dismissive half page, the section had grown like topsy to nearly four pages.

The key passage set the tone as follows:

"Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of [the use of cookies and similar devices]. While explicit consent might allow for regulatory certainty ..this does not mean that implied consent cannot be compliant."

The guidance then helpfully goes into some detail on the new approach and its practical implications. It states:

"For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might, for example be visiting a website, moving from one page to another or clicking on a particular button.

The key point is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set."

So it appeared that on implied consent, too, ICO had now taken a more industry-friendly approach, albeit at a late stage before full enforcement started in earnest.

Why this matters:

As publishers increasingly bite the consent bullet, it is becoming clear that cookie users are grasping the opportunities offered by ICO with both hands, with implied consent obtained quickly after the event clearly very popular as a means of working towards compliance.

So the vast majority of cookie users who kept their powder dry until beyond the last minute were rewarded for their dallying and dallying.

Whether this leads to the UK being significantly out of step with most of its EU brethren and incurring the anger of the European Commission, who have recently announced enforcement action against Belgium, Netherlands, Poland, Portugal and Slovenia for failure to implement the directive, remains to be seen.